2. Configuring the SGD Gateway
SGD Gateway Configuration Tasks
Client Device to SGD Gateway Connections
How to Configure the Ports and Connections for the SGD Gateway
How to Install an SSL Certificate for Client Connections Into the Client Keystore
SGD Gateway to SGD Server Connections
How to Install SGD Server Certificates
How to Install SGD Gateway Certificates on the SGD Array
How to Configure SGD Client Connections
This section includes instructions for configuring the connections used by the SGD Gateway.
The following configuration tasks are described:
Configuring connections between the client device and an SGD Gateway involves the following configuration tasks:
(Optional) Configure the ports and connections used by the SGD Gateway.
You configure these settings when you install the SGD Gateway.
To change these settings, see How to Configure the Ports and Connections for the SGD Gateway.
(Optional) On the SGD Gateway, install an SSL certificate for client connections.
See How to Install an SSL Certificate for Client Connections Into the Client Keystore.
You only need to use this procedure if you want to change the settings you made during installation of the SGD Gateway.
# /opt/SUNWsgdg/bin/gateway config create
Answer the on-screen questions, to configure the following:
SGD Gateway port settings. The interface and port used by the SGD Gateway for incoming connections.
Network entry point. The Internet Protocol (IP) address, or Domain Name System (DNS) name, and port that client devices use to connect to the SGD Gateway. This is not always the same as the address of the SGD Gateway. Depending on the configuration of your network, this can be the address of a load balancer or other external device.
Secure connections. Whether to secure the connections between the SGD Gateway and the SGD servers in the array. To use secure connections, the SGD servers in the array must be running in secure mode.
The SGD Gateway is configured using the settings you entered.
The SSL certificate that the SGD Gateway uses for client connections is called the SGD Gateway SSL certificate. The SSL certificate is stored in the client keystore, /opt/SUNWsgdg/proxy/etc/keystore.client.
By default, the SGD Gateway uses a self-signed SGD Gateway SSL certificate for client connections, but you can replace the self-signed SSL certificate with a certificate signed by a certificate authority (CA).
The following procedure assumes you have an SSL certificate signed by a CA.
The private key you install must be in Privacy Enhanced Mail (PEM) format.
Use the gateway sslkey import command, as follows:
# /opt/SUNWsgdg/bin/gateway sslkey import \ --keyfile temp.key \ --keyalg RSA \ --certfile example.com.pem
Here, the certificate file example.com.pem and the corresponding RSA-encoded private key, temp.key, are imported into the client keystore.
The existing self-signed SSL certificate in the client keystore is overwritten.
![]() | Caution - Only use this step if you are not performing initial configuration of the SGD Gateway. Restarting the SGD Gateway at this stage during initial configuration displays an error message, because initial configuration of the SGD Gateway has not been completed. |
Restart the SGD Gateway if you are replacing the SSL certificate on an SGD Gateway that is already configured and running.
Note - Restarting the SGD Gateway disconnects all user sessions and application sessions that are running through the SGD Gateway.
On the SGD Gateway host, run the following command:
# /opt/SUNWsgdg/bin/gateway restart
The connections between an SGD Gateway and the SGD servers in the array use certificates for mutual authorization. Configuring these connections involves the following configuration tasks:
Install SGD server certificates on the SGD Gateway.
Install the SGD Gateway certificate on the SGD array.
See How to Install SGD Gateway Certificates on the SGD Array.
Configure SGD Client connections for the SGD Gateway.
To use this procedure, the SGD servers in the array must be running in secure mode.
See “Secure Connections to SGD Servers” in Chapter 1 of the Oracle Secure Global Desktop 4.6 Administration Guide for more information about how to enable security services on an SGD server.
Repeat the following procedure for each SGD server in the array.
The CA certificate for an SGD server is at /opt/tarantella/var/info/certs/PeerCAcert.pem on the SGD host.
Note - This is the same CA certificate that the SGD server uses for secure intra-array communication.
The SGD Gateway keystore directory is /opt/SUNWsgdg/proxy/etc.
When you copy the CA certificate, it is best practice to rename the certificate file so that you can identify what the file contains and the SGD server it came from.
The SSL certificate for an SGD server running in secure mode is at /opt/tarantella/var/tsp/cert.pem on the SGD host.
The SGD Gateway keystore directory is /opt/SUNWsgdg/proxy/etc.
When you copy the SSL certificate, it is best practice to rename the certificate file so that you can identify what the file contains and the SGD server it came from.
# /opt/SUNWsgdg/bin/gateway server add --server sgd-server1 \ --certfile /opt/SUNWsgdg/proxy/etc/PeerCAcert.pem --url https://sgd1.example.com \ --ssl-certfile /opt/SUNWsgdg/proxy/etc/cert.pem
The --server option defines the alias names used when storing the certificates in the keystore. In this example, the CA certificate is stored using an alias of sgd-server1, the SSL certificate is stored using an alias of sgd-server1-ssl.
https://sgd1.example.com is the Uniform Resource Locator (URL) of the SGD web server.
Note - Restarting the SGD Gateway disconnects all user sessions and application sessions that are running through the SGD Gateway.
On the SGD Gateway host, run the following command:
# /opt/SUNWsgdg/bin/gateway restart
Repeat the following procedure for each SGD Gateway.
Use the gateway cert export command, as follows:
# /opt/SUNWsgdg/bin/gateway cert export --certfile gateway1.pem
The certificate is exported to the file gateway1.pem.
When you export the certificate, it is best practice to name the certificate file so that you can identify the SGD Gateway it came from.
# chmod 644 /opt/tarantella/var/tsp/gateway1.pem
# tarantella gateway add --name sgd-gateway1 \ --certfile /opt/tarantella/var/tsp/gateway1.pem
where sgd-gateway1 is a name used by SGD to identify the SGD Gateway, and gateway1.pem is the SGD Gateway certificate file name.
To register multiple SGD Gateways at the same time, use the --file
option of the tarantella gateway add command. See The tarantella gateway Command for more details.
Configuration changes made using tarantella gateway add are replicated to the other SGD servers in the array.
On the primary SGD server, set the --security-gateway global attribute to define which SGD Clients can use the SGD Gateway, based on their IP address or DNS name.
To specify that all SGD Client connections are routed through TCP port 443 of a single SGD Gateway gateway1.example.com, use the following command:
$ tarantella config edit --security-gateway \ "*:sgdg:gateway1.example.com:443"
To specify that all SGD Client connections are routed through TCP port 443 of an external load balancer lb.example.com, use the following command:
$ tarantella config edit --security-gateway \ "*:sgdg:lb.example.com:443"
Note - Changes to the --security-gateway attribute affect all SGD servers in the array. The changes only apply to new user sessions.
See The --security-gateway Attribute for more details about how to use the --security-gateway attribute to define
multiple SGD Client connection filters.
Configuring connections between the client device and an external load balancer involves the following configuration tasks:
Configure the load balancer to accept connections from client devices.
See your load balancer documentation for details of how to do this.
(Optional) Install the SSL certificate for the SGD Gateway on to the load balancer.
See your load balancer documentation for details of how to do this.
Configuring connections between an external load balancer and the SGD Gateway involves the following configuration tasks:
Configure the ports and connections used by the SGD Gateway.
See How to Configure the Ports and Connections for the SGD Gateway.
(Optional) On the SGD Gateway, install an SSL certificate for incoming client connections.
See How to Install an SSL Certificate for Client Connections Into the Client Keystore.